This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

SSO for O365 works for IE 11, but not Chrome version 63

Question
0

Sign in to vote

Hi,

We have ADFS 2012 R2 in place. If I clear down cookies and make sure I'm logged out of O365, reboot and then login to "portal.office.com" and "contoso.sharepoint.com", IE automatically logs me in, but Chrome prompts for a username to be picked. Once I pick the username or enter "mark@contoso.com" I'm automatically directed to ADFS and login straight away (Chrome doesn't need a password, it grabs it from Windows).

How can we get Chrome to work with SSO?

IE settings:
local intranet zone has "https://portal.office.com" and "https://contoso.sharepoint.com"
User authentication\Logon set to "Automatic logon only in the intranet zone"

ADFS settings:
PS C:\> Get-AdfsGlobalAuthenticationPolicy
AdditionalAuthenticationProvider : {}
DeviceAuthenticationEnabled : False
PrimaryIntranetAuthenticationProvider : {FormsAuthentication, WindowsAuthentication}
PrimaryExtranetAuthenticationProvider : {FormsAuthentication}
WindowsIntegratedFallbackEnabled : True
PS C:\> Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
Mozilla/5.0
Edge/12
PS C:\>

IT Support/Everything

Wednesday, September 19, 2018 2:21 PM

All replies

0

Sign in to vote

What version of Chrome are you using?
Have you verified which User Agent that version of Chrome uses?

Friday, September 21, 2018 8:47 AM
0

Sign in to vote

Chrome version 63.0.3239.108

I think I need to add Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”) as mentioned below

Presumably I can remove the string by using - "Chrome)

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

Will test when I get some time.
IT Support/Everything

Friday, September 21, 2018 11:34 AM
0

Sign in to vote

Run the command Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Mozilla/5.0"

The only caution I would add that if you do not use the "expand" and use just Set-AdfsProperties -WIASupportedUserAgents with just "Chrome" then you will only have that browser enabled and lose all the others. It is an accretive command!

Friday, September 21, 2018 8:42 PM
0

Sign in to vote
Thanks, I'll be sure to use the expand. We've got our ADFS servers WID load balanced, so I'll power off and snapshot the primary beforehand just in case I need another roll back...

Is "+ "Mozilla/5.0"" needed? It's already listed,

IT Support/Everything
- Edited by Aetius2012 Monday, September 24, 2018 10:27 AM .
Monday, September 24, 2018 10:25 AM
0

Sign in to vote

Sorry - I missed that is was there already. Not needed!

Wednesday, September 26, 2018 3:19 PM
0

Sign in to vote

I managed to test this yesterday, unfortunately, adding Chrome didn't work as mentioned

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

I used their recommended string, as well as trying the code below.

#Use an array list, as it's dynamic, arrays are fixed size
[System.Collections.ArrayList]$UserAgents = Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents
$UserAgents.add("chrome")
# Use line below to roll back
# $UserAgents.Remove("chrome")
Set-ADFSProperties -WIASupportedUserAgents $UserAgents

Restarted ADFS services, but Chrome still wouldn't perform SSO (WindowsIntegratedFallbackEnabled is true)

Looking at the browser string from whoishostingthis my browser is reported as below. Do I need to add the entire string in and what happens if the next version of Chrome comes out?

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36

Thanks

IT Support/Everything

Friday, September 28, 2018 9:43 AM